Mason Landrum wrote: > Anyone, > > I will be needing to set up a secure method of transferring information > between our agencies. This method will also have to meet HIPAA (Health > Insurance Portability and Accountability Act) security and encryption > regulations. I would prefer this method to be e-mail based but we could live > with FTP. I currently have GB Pro and am considering moving up to GB-Flash > for the VPN capability. However, I could also use NT's PPTP VPN with > encryption which I believe uses 128-bit encryption. My questions are:
Almost a year ago, I posted the following: http://www.gnatbox.com/ubb/Forum1/HTML/000114.html Other than some grammatical errors, I stand by what I said there... HOWEVER, ethically, since you are dealing with OTHER people's data, you should probably take a few extra steps. Using a known vulnerable protocol when dealing with data that is about other people is tacky, even if not a serious security risk. More... > 1) Which do all of you prefer and why? Well, considering Microsoft's track record on security system implementations, pig latin encryption might be more secure. They just don't get it...the 'net is not a friendly place. However, PPTP is probably an easier setup. > 2) Do you trust MS PPTP (is it really secure)? No, but it probably isn't your issue, at least from an OPERATIONAL standpoint. HOWEVER, as you have someone looking over your shoulder and standards to meet, not to mention it sounds like you are dealing with people's very private data, something better than PPTP would be wise, for warm fuzzies, if nothing else. > 3) What encryption level does GnatBox use? Check out chapter 9 of the GB Manual for a full answer: http://www.gnatbox.com/Pages/docs/chapters/09-VPN.pdf There is far more to security than bit count, however. Just check out "Wired Equivalent Privacy" (that's one of the great misnamings of all time, it turns out. 128bit encryption available, virtually as breakable as the 40 bit -- which in this case is very breakable. Note that it isn't breakable because it is 40 bit -- it is breakable because it is, well, broke). Note that the encryption algorithms used by GB are well documented and well respected for their security. > 4) Will either of these methods meet HIPAA requirements? Got me. You didn't provide any official link, but in my brief search, it looked like the key words were "encryption", "passwords", "checksums", etc. The phrase "token effort" popped into mind. But then, I doubt I'd be impressed if they started laying out a bunch of buzzwords that still left the doors wide open (i.e., 128 bit keys -- doesn't mean squat if the implementation is broke). I would think a good interpretation is "good faith effort per technology and knowledge at the time", but considering the time I spent researching (little), that might be more hope than real interpretation. 8-) > 5) For those of you at the mercy of HIPAA, how are you meeting these > requirements when secure transfer of data is concerned? (I'm not dealing with HIPAA at the moment, so this is more general philosophical answer) As I indicated in the above link, the real concern I would have is not that someone would sniff your data mid-stream, but that someone would attack either end and tap your database directly. This isn't a one-piece solution. If I wanted in your data, there are a few routes I would probably investigate... 1. Can I break your firewall's base OS? I'm not going to waste my time trying to decrypt your data stream -- I don't care if it is a one-time-pad or ROT-13, too much like work getting to the stream, much too likely to get caught. Much easier to work over the base OS, turn it into a monitoring platform for all your communications. (GB wins the prize here. IF I managed to break the OS and get access, I still can't think of anything I (realistically) could do on a GB system.) 2. Can I enter your network though a nice, poorly secured IIS web server (or any other)? If you haven't checked out what Code Red II lets anyone in the world do to your systems, do so. Scary. 3. Can I enter through some hole that an executive in your office made you put in your system? Likely bets would be AOL's Virtually Penetrated Network. Executives are so nice to crackers. They want all the toys, but don't have the time to deal with the issues, and the implementers are afraid to say "You are being an idiot" out loud to them. 4. Can I get good stuff out of your trash dumpters? 5. Can I slip your cleaning person $50 to accidentally drop one of your backup tapes in to my hands? ("What happened to the tape?" "It was here last night, must have been the cleaning person!" "tape? Oh, yeah, I saw one of those on the floor, thought it was some packing material, threw it out. Sorry". Look in your dumpster, there will even be a similar tape in a pile of wet coffee grounds. Not the same tape, but you aren't going to stick it in your drive to find out.) 6. Can I persuade one of your employees to run a custom worm to let me suck your systems dry from the inside out? (Modified "Frog-in-a-blender", something everyone "knows" is harmless). Your virus scanner won't pick it up, btw. Scanners will pick up known viruses and worms, but if I want you, I'll write one fresh (or alter the signatures of a standard one), just for you.) That was just a few minutes of thought, and I don't do this kind of stuff (and yes, it kinda scared me that I could do that so quickly). Of all those, your firewall will help with only #1 and slightly on #2. #3-5 are an administration issues -- operations policies, not technology. #6 is a user education issue, and potentially your most devastating hole. Just ask Microsoft about that one... The point is, if your data is important, you had better take security seriously -- don't just discuss GB's VPN vs. PPTP, and think you got it covered. The web lets the world work your office over in some ways from anywhere, but the close-to-home, low-tech stuff didn't go away. User education is key -- if you can't get people to stop running attachments, and take office security seriously, disconnect them from the 'net. Or fire 'em. A further note: You mentioned sending data by e-mail. Standard e-mail is a plain-text protocol, and most popular e-mail server packages store the data unencrypted. If your e-mail server is in-house and your sites communicate with it via the VPN, fine, but critical data should never be sent via e-mail across the Internet. FTP is almost as bad, for much the same reason, plus it does involve a login and password, all sent in plain text. You might want to look at SCP -- a secured, encrypted file transfer protocol. Nick. -- http://www.holland-consulting.net/
